The Biden administration has released new guidance for federal agencies that will require them to use only software that has been developed using secure development practices and instructs agencies to require some form of certification from the vendors they work with. The guidance is a follow-up to a 2021 executive order, and is just the beginning of what will be a long process of securing the federal software supply chain.
Supply chain security has become a serious concern for both private enterprise and government agencies, particularly in the last couple of years as APT groups have focused their efforts on compromising vendors and products that are widely used and/or incorporated into other software packages. The canonical example at this point is the intrusion at SolarWinds in late 2020 that also affected FireEye, Microsoft, and many of the company’s other customers. Attackers affiliated with the Russian government were able to compromise a build server inside of SolarWinds and insert a backdoor in the company’s Orion IT monitoring software, which was then propagated to a subset of SolarWinds’s customers, giving the attackers access to those environments, as well.
Other supply chain attacks have surfaced recently, including an attack on Kaseya in 2021 by REvil ransomware actors. The new guidance from the Office of Management and Budget at the White House seeks to address the issue by requiring agencies to get self-attestations from software vendors, documents that will lay out the vendors’ compliance with software development and cybersecurity practices from the National Institute of Standards and Technology.
“Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised. With the cyber threats facing Federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries,” Chris DeRusha, federal CISO and deputy national cyber director, said.
“This is not theoretical: foreign governments and criminal syndicates are regularly seeking ways to compromise our digital infrastructure.”
The guidance from OMB is the beginning rather than the end of this process. It is rather general and broad and does not include any specifics of what exactly self-attestations must include. The guidance also says agencies may require a software bill of materials (SBOM) from a vendor, but does not lay out any specifics for that document, either, aside from the minimum elements of an SBOM described by the Cybersecurity and Infrastructure Security Agency. An SBOM is a specific type of document that details what the basic and nested elements of a given piece of software are, including libraries and dependencies.
“This is moving at lightspeed, honestly, for government regulations."
Some of those specifics will come in the next 90 days, while others may be farther down the line. The release of the guidance is a signal from that the federal government that it plans to use its purchasing power to raise the bar for software makers’ security practices.
“This is step one in getting this going. It’s hard for companies to exert this kind of pressure. It has to start with somebody somewhere,” said Dan Lorenc, co-founder of Chainguard, a software supply chain security firm.
SBOMs have been around for several years, but their adoption rate among software makers is not very high at the moment, even among large, mature vendors. Lorenc stressed that there’s much more to it than simply filling out a form and listing the software ingredients in a product.
“I think adoption is pretty low across the board right now among all companies. They’re just getting into a position now where they can do this,” he said. “Everyone is waiting until the last minute to get in.”
There are a number of milestones included in the new guidance, the first of which is the requirement that federal agencies inventory all of their software, critical and otherwise, within the next 90 days. Within 120 days, agencies have to design a process to get the guidance’s requirements to their vendors, and within 180 days develop a training plan to review the attestations. The road may seem long, but given that the executive order from President Biden only landed in May 2021, just having the guidance out within 18 months is a feat unto itself.
“This is moving at lightspeed, honestly, for government regulations,” Lorenc said.